Michael Stone <mstone@debian.org> writes:
> On Fri, Jul 18, 2008 at 01:17:43PM +0200, Goswin von Brederlow wrote:
>>Or just one DNS server or even just the users client.
>
> You'd also have to keep the DNS server wrong. Doing this in a manner
> that people don't notice is (IMO) hard, because people do go looking
> for particular security updates. And if the client is already
> compromised, who cares about whether the update mechanism has
> theoretical issues?
>
> Mike Stone
See the latest DNS vulnerability about how you can compromise a clients
DNS without having to hack a DNS server.
Only way people notice a spoofed dns reply is when they saw a security
update being announced and apt-get won't get it. Not everybody does,
some people just run apt get and trust it to work.
MfG
Goswin